Maintaining Code Integrity in a Central Software Development System

ABSTRACT

A central software development system comprises a code processor and a code authenticator. The code processor converts modified free source code received by the system to program code such as executable code or bytecode. The code authenticator selectively signs the program code using an encryption key associated with one or more devices for which the program code is designed, e.g., a computer or mobile phone. The central system may also include a code scanner. The code scanner verifies the modified free source code, e.g., by scanning the modified free source code or intermediate code generated by the code processor for impermissible code patterns. The code authenticator signs the program code if the modified free source code is verified. The impermissible code patterns may correspond to at least one of proprietary, malicious or virulent code sequences.

BACKGROUND

The present invention generally relates to software development, and particularly relates to maintaining code integrity in a central software development system.

Free source code such as open-source code is made generally available under a license permitting licensees to study, modify, and improve the source code and to redistribute the source code in modified or unmodified form. Original source code and various modified versions thereof are conventionally maintained by a central software development system for open distribution to licensed entities. A licensee downloads desired source code from the central system to the licensee's system for modification. Once modified, the licensee may remotely compile the modified source code into program code (software) or upload the modified code to the central system for compilation. If the modified source code is uploaded to the central system, the system indexes the modified code by version number so that the newly modified code can be easily located and retrieved by other licensees.

Program code created from free source code may be code that is ready for immediate execution (i.e., executable code) or code that requires a final compilation step before the code can be executed (i.e., bytecode). Executable program code is created by compiling the free source code into object code and linking the object code into executable code. Bytecode is created by compiling the free source code into intermediate code which requires further compilation or interpretation before it may be executed.

When a source licensee remotely creates program code from modified free source code, the licensee controls distribution of the program code. As such, the remotely created program code may be signed or otherwise authenticated much the same way proprietary code is authenticated. For example, the code may be signed using a private encryption key uniquely associated with the licensee who generated the program code. A device such as a mobile phone that receives the program code directly from the licensee or other trusted source can verify the authenticity of the code before downloading or executing it. For example, if the signature associated with the code is not trusted or unverifiable, the phone will not install the software.

Program code generated by a central software development system is not conventionally signed by the licensee that modified the underlying free source code. Thus, program code created by a central system conventionally has no indication of authenticity. Further, the very nature of open software development lends itself to the increased likelihood that program code is created from erroneous, malicious or virulent source code since the source code is made available to many entities. Program code created from tainted free source code cannot be trusted. Devices that execute untrustworthy program code are more susceptible to unpredictable behavior and viruses or other types of malicious code attacks than are devices that execute trusted code.

Widespread adoption of the open software development model has increased exposure to inauthentic and untrustworthy code. In some software distribution environments, software developers are provided unfettered access to devices so that software contained in the devices may be readily updated. While this may be advantageous for certain types of software such as application software, unfettered device access poses security risks for other types of software code. For example, in a mobile phone, unrestricted access to the phone's modem telecommunication protocols or boot code may seriously compromise phone security.

SUMMARY

According to the methods, apparatus and computer program product taught herein, code integrity is maintained in a central software development system by authenticating program code generated by the central system. The central system authenticates program code it generates by selectively signing the code using an encryption key associated with the device or devices for which the program code is designed, e.g., a computer or mobile phone. Devices that download program code generated by the central system can thus verify authenticity of the program code before executing it. The central system may also verify the free source code from which program code is generated before the program code is signed, e.g., by scanning for impermissible code patterns. This way, only verified source software is authenticated by the central system. As such, the likelihood that erroneous, malicious, virulent or otherwise undesirable code is executed by devices that download software generated by the central system is reduced.

According to one embodiment of a central software development system, the system comprises a code processor and a code authenticator. The code processor converts modified free source code received by the system to program code. The code authenticator selectively signs the program code using an encryption key associated with one or more devices for which the program code is designed. In one embodiment, the code authenticator signs the program code by selectively calculating a hash value based on the program code and encrypting the hash value using the encryption key. The program code may comprise executable code or bytecode.

The central system may also include a code scanner. The code scanner verifies the modified free source code, e.g., by scanning the modified free source code or intermediate code generated by the code processor for impermissible code patterns. The code authenticator signs the program code if the corresponding modified free source code is verified by the code scanner. The impermissible code patterns may correspond to at least one of proprietary, malicious or virulent code sequences.

Of course, the present invention is not limited to the above features and advantages. Those skilled in the art will recognize additional features and advantages upon reading the following detailed description, and upon viewing the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of one embodiment of a central software development system.

FIG. 2 is a block diagram of one embodiment of a code authenticator included in or associated with the central software development system of FIG. 1.

FIG. 3 is a block diagram of one embodiment of a code processor included in or associated with the central software development system of FIG. 1.

FIG. 4 illustrates one embodiment of processing logic for authenticating program code generated by the central software development system of FIG. 1.

FIG. 5 is a block diagram of another embodiment of a code authenticator included in or associated with the central software development system of FIG. 1.

DETAILED DESCRIPTION

FIG. 1 illustrates an embodiment of a central software development system 10. The central system 10 makes free source code generally available to licensees. As used herein, the term ‘free source code’ is source code such as open-source code that is made generally available under a license permitting licensees to study, modify, and improve the source code and to redistribute the source code in modified or unmodified form. Modified free source code is returned to the central system 10 for compilation into program code. As used herein, the term ‘program code’ is code that is ready for execution (executable code) or code that requires a final compilation or interpretation step before it can be executed (bytecode). Regardless, the central system 10 provides a single location for both maintaining modified free source code and building software from modified free source code.

Program code generated by the central system 10 is signed by a code authenticator 12 included in or associated with the system 10 for indicating authenticity of the program code. Thus, recipients of signed program code are provided assurance that the code was generated by a trusted source, i.e., the central system 10. Program code generated by software developers who fail to return modified source code to the central system 10 is not signed by the central system 10, and thus, may not be executed by target devices 14 since it has not been authenticated by the central system 10. Regardless, in one embodiment, the code authenticator 12 signs program code by performing a hash routine on the code and then encrypting the resulting hash value. The encryption key used to sign program code is associated with the device(s) 14 for which the program code is designed or otherwise intended, not the entity that modified the underlying free source code.

The central system 10 may generate program code designed for various types of devices 14 such as computers or embedded devices such as mobile phones, portable computers, handheld devices, network interface cards, etc. The encryption key may be uniquely associated with a single device or group of devices, e.g., all devices having the same model or version number. If each device 14 for which the program code is designed does not recognize the signature associated with the code, each target device 14 may independently choose not to install the code. Thus, program code generated by the central system 10 is authenticated even though it is generated in a centralized, open environment.

In more detail, a code repository 16 included in or associated with the central system 10 stores free source code maintained by the system 10. Licensees gain access to the free source code, e.g., by logging into the central system 10. After logging in, a licensee identifies a particular version of source code to be modified. The desired version of source code is retrieved from the code repository 16 and downloaded to the licensee's remote system 18 and stored in memory 20 included in or associated with the remote system 18. The downloaded source code is then remotely modified, e.g., using a source code editor 22 such as a script editor or the like. The modified source code is subsequently uploaded to the central system 10. Alternatively, a code processor 24 included in or associated with the central system 10 locally modifies the source code at the central system 10.

Either way, the central system 10 assigns a version number to the newly modified source code and stores the code in the code repository 16 for subsequent use. The code processor 24 included in or associated with the central system 10 compiles the modified source code into program code. The code authenticator 12 then signs the newly created program code using the encryption key associated with each device 14 for which the program code is designed or otherwise intended. The encryption key may be a public or private encryption key provided to the central system 10 or generated by the system 10. Regardless, various encryption key records 26 maintained by the central system 10 are searched until the key corresponding to each target device 14 is found.

In one embodiment, a code scanner 28 included in or associated with the central system 10 verifies the free source code from which the program code is generated before the program code is signed using the retrieved encryption key. The code scanner 28 verifies the free source code by determining whether the source code or code associated with the source code contains impermissible code patterns as will be described in detail later. As such, the code scanner 28 prevents virulent, malicious or otherwise undesired code from being signed by the code authenticator 12. If the code scanner 28 is used, signed program code generated by the central system 10 is thus both verified by the code scanner 28 and authenticated by the code authenticator 12.

Program code is made available for download to each device 14 for which the code was designed. The entity that modified the source code from which the program code was generated may download the program code to the entity's remote system 18. A software upgrade utility 30 included in the remote system 18 then provides the program code to each target device 14 for storage in memory 32. Alternatively, respective ones of the target devices 14 may receive the program code directly from the central system 10 if equipped with a software upgrade utility. Also, the program code may be downloaded from the central system 10 by an unrecognized remote device (not shown) such as a computer and then subsequently transferred via email or other medium to the target device 14. In yet another embodiment, the program code may be stored on a memory card that is subsequently inserted into the target device 14.

Before a target device 14 executes the program code, a code validator 34 included in the device 14 determines whether the program code is signed, and if so, whether the signature is recognized. In one embodiment, the code validator 34 compares encryption key records 36 maintained by the device 14 with the signature generated by the central system 10 and included with the program code. If the signature is not recognized or no signature exists, the target device 14 may choose not to execute the code. This way, program code not generated and signed by the central system 10 is not executed by the target device 14. If the signature is successfully authenticated, a code processor 38 included in the device 14 executes the program code, e.g., by running executable code or compiling (or interpreting) bytecode and then executing the resulting code.

Either way, each target device 14 is shielded from unauthenticated code when the central system 10 signs the program code with an encryption key associated with the corresponding target device 14. The code scanner 28 included in or associated with the central system 10 provides further assurance of code integrity by determining whether the program code contains impermissible code patterns. Thus, when the code scanner 28 is used, signed program code indicates that both the code has been generated by a trusted source (i.e., the central system 10) and the code does not contain impermissible code patterns.

FIG. 2 illustrates an embodiment of the code authenticator 12 included in or associated with the central system 10. The code authenticator 12 signs program code generated by the central system 10 using a hash function 40 and an encryption function 42. The hash function 40 generates a hash value based on the program code being signed. The hash function 40 is a reproducible function (or algorithm) that generates a digital “fingerprint” (hash value) from data (program code). The resulting hash value is simple to compute given the data being processed, but the data is difficult to reconstruct given only the hash value. The hash function 40 may be any conventional hash function such as SHA-1, MD2, MD4, MD5, Snerfu, H-Hash, etc.

The encryption function 42 encrypts the hash value produced by the hash function 40 to generate a digital signature. The digital signature indicates that the program code was generated by a trusted party such as the central system 10. During operation, the encryption function 42 retrieves the encryption key associated with each device 14 for which the program code is designed, e.g., as indicated by the version of the program code or underlying free source code. For example, if the code version corresponds to a particular mobile phone model, the encryption key record 26 associated with that model is retrieved. Regardless, the key used to encrypt the hash value corresponds to the device for which the code is designed or otherwise intended, not the entity that modified the underlying source code. Once the proper key record 26 has been retrieved, the hash value is encrypted using the retrieved key. Any conventional encryption algorithm may be used such as, RSA, Pretty Good Privacy (PGP), ElGamal, DSA, Fiege-Fiat-Shamir, etc.

A message builder 44 constructs a composite message containing the program code, the digital signature, and optional information such as a header and/or digital certificate identifying the encryption key used to sign the program code. The message is provided either directly or indirectly to each device 14 for which the code is designed as previously described. A code validator 34 included in each target device 14 verifies whether the signature associated with the program code is recognized. For example, the code validator 34 may compare the program code signature to various encryption key records 36 maintained by the target device(s) 14. Alternatively, if a digital certificate is provided with the program code and corresponding signature as part of a received message, the code validator 34 may compare the program code signature to a signature included in the digital certificate. Regardless, if the signature associated with program code generated by the central system's code processor 24 is not recognized by a target device 14, the code may not be executed.

FIG. 3 illustrates one embodiment of the code processor 24 included in or associated with the central system 10. According to this embodiment, the code processor 24 generates executable code from a particular version of modified free source code. To that end, the code processor 24 comprises a compiler front-end 46, code optimizer 48, compiler back-end 50 and linker 52. The compiler front-end 46 translates modified free source code into intermediate code (IC), e.g., as illustrated by Step 100 of FIG. 4. As used herein, the term ‘intermediate code’ should be interpreted broadly to include any code represented using a language lower than source code language, but higher than executable code language such as assembly language or machine language. The intermediate code is preferably hardware and operating system independent, thus enabling different types of source code to be generally optimized regardless of hardware and software limitations.

The code optimizer 48 optimizes the intermediate code, e.g., using any conventional code optimization technique such as inline expansion, dead code elimination, constant propagation, loop transformation, register allocation, automatic parallelization etc. After the intermediate code has been optimized, the compiler back-end 50 generates object code from the optimized intermediate code, the object code being based on the native machine language supported by the device(s) 14 for which the code is designed. The linker 52 assembles the object code (and libraries) into executable code suitable for execution by each target device 14. Alternatively, the code processor 24 skips intermediate code transformation and instead directly compiles the modified free source code into executable code. Either way, the code scanner 28 included in or associated with the central system 10 may verify the free source code before the code authenticator 12 signs the corresponding program code.

The code scanner 28 verifies the modified free source code by scanning corresponding intermediate code or the source code itself for impermissible patterns, e.g., as illustrated by Step 102 of FIG. 4. For example, the code scanner 28 may scan intermediate code such as the code output by the compiler front-end 46, code optimizer 48, or compiler back-end 50. Impermissible code patterns correspond to any kind of code sequence that indicates the code should not be executed by the device(s) 14 for which the code is intended. Impermissible code patterns may correspond to proprietary code sequences that should not be modified by un-trusted third parties, e.g., boot code or the modem telecommunication protocols associated with a mobile phone or other wireless communication device. If such proprietary source code is modified absent control, device operation may be compromised. Impermissible code patterns may also correspond to any kind of erroneous or malicious code sequences such as those associated with known software viruses.

During or after code scanning, the code scanner 28 determines whether impermissible code patterns have been detected, e.g., as illustrated by Step 104 of FIG. 4. In one embodiment, the code scanner 28 compares the code being scanned to one or more groups of regular expressions representing impermissible code patterns. A regular expression is an ordered sequence of symbols that describes or matches a set of strings according to certain syntax rules. As such, an impermissible code pattern may be represented by a group of regular expressions. The code scanner 28 may detect an impermissible code pattern by determining that each regular expression in a group matches a particular code string in the scanned code. If a match for at least one of the regular expressions in the group is not identified, then no impermissible code patterns are detected for the particular group of regular expressions.

Regardless, code scan results are provided to the code authenticator 12. If no impermissible patterns are found during code scanning, the modified free source code has been verified. Accordingly, the code authenticator 12 signs the executable code as previously described, e.g., as illustrated by Step 106 of FIG. 4. However, if one or more impermissible patterns are found, the executable code cannot be trusted, and thus, the executable code is not signed by the code authenticator 12. Further, if new code patterns are provided to the code scanner 28, prior versions of the source code may be scanned for the new patterns. Also, if impermissible code patterns are detected, action may be taken against the entity that provided the underlying source code to the system 10, e.g., by denying further access to the system 10 or code stored in the code repository 16. Regardless, the executable code is then stored in the central system 10 either with or without a signature, e.g., as illustrated by Step 108 of FIG. 4.

FIG. 5 illustrates another embodiment of the code processor 24 included in or associated with the central system 10. According to this embodiment, a bytecode compiler 54 generates bytecode from modified free source code, e.g., as illustrated by Step 100 of FIG. 4. The bytecode must be finally compiled before it can execute, and thus, is intermediate code. Typically, a just-in-time compiler is used for compiling bytecode into executable code in real-time. Regardless, the code scanner 28 scans either intermediate code generated by the code processor 24 (i.e., bytecode in this embodiment) or the underlying free source code, e.g., as illustrated by Step 102 of FIG. 4. The code scanner 28 then determines whether impermissible patterns were found during code scan, e.g., as illustrated by Step 104 of FIG. 4. If no impermissible patterns are found, the code authenticator 12 signs the bytecode, e.g., as illustrated by Step 106 of FIG. 4. Otherwise, the bytecode is not signed. The bytecode is then stored in the central system 10 either with or without a signature, e.g., as illustrated by Step 108 of FIG. 4.

The code authenticator 12, code processor 24 and/or code scanner 28 included in or associated with the central software development system 10 described herein may comprise one or more microprocessors, digital signal processors, application specific integrated circuits, field programmable gate arrays, and/or other types of digital processing circuits, configured according to computer program instructions implemented in software (or firmware).

With the above range of variations and applications in mind, it should be understood that the present invention is not limited by the foregoing description, nor is it limited by the accompanying drawings. Instead, the present invention is limited only by the following claims, and their legal equivalents. 

1. A method of maintaining code integrity in a central software development system, comprising: converting modified free source code received by the system to program code; and selectively signing the program code using an encryption key associated with one or more devices for which the program code is designed.
 2. The method of claim 1, further comprising: verifying the modified free source code; and signing the program code if the modified free source code is verified.
 3. The method of claim 2, wherein verifying the modified free source code comprises scanning at least one of the modified free source code or intermediate code generated by the system for impermissible code patterns.
 4. The method of claim 3, wherein scanning for impermissible code patterns comprises comparing at least one of the modified free source code or the intermediate code to one or more groups of regular expressions.
 5. The method of claim 3, wherein scanning for impermissible code patterns comprises scanning at least one of the modified free source code or the intermediate code for at least one of proprietary, malicious or virulent code sequences.
 6. The method of claim 3, wherein scanning the intermediate code for impermissible code patterns comprises scanning one of bytecode, an intermediate representation of the modified free source code, or an optimized version of the intermediate representation.
 7. The method of claim 3, further comprising taking action against an entity that provided the modified free source code to the system responsive to one or more of the impermissible code patterns being detected.
 8. The method of claim 1, wherein selectively signing the program code using the encryption key comprises: selectively calculating a hash value based on the program code; and encrypting the hash value using the encryption key.
 9. The method of claim 1, wherein converting the modified free source code to the program code comprises converting the modified free source code to one of executable code or bytecode.
 10. A central software development system, comprising: a code processor configured to convert modified free source code received by the system to program code; and a code authenticator configured to selectively sign the program code using an encryption key associated with one or more devices for which the program code is designed.
 11. The system of claim 10, further comprising a code scanner configured to verify the modified free source code, and wherein the code authenticator is configured to sign the program code if the modified free source code is verified.
 12. The system of claim 11, wherein the code scanner is configured to scan at least one of the modified free source code or intermediate code generated by the code processor for impermissible code patterns.
 13. The system of claim 12, wherein the code scanner is configured to compare at least one of the modified free source code or the intermediate code to one or more groups of regular expressions.
 14. The system of claim 12, wherein the impermissible code patterns correspond to at least one of proprietary, malicious or virulent code sequences.
 15. The system of claim 12, wherein the intermediate code comprises one of bytecode, an intermediate representation of the modified free source code, or an optimized version of the intermediate representation.
 16. The system of claim 12, wherein the system is configured to take action against an entity that provided the modified free source code to the system responsive to the code scanner detecting one or more of the impermissible code patterns.
 17. The system of claim 10, wherein the code authenticator is configured to selectively calculate a hash value based on the program code and encrypt the hash value using the encryption key.
 18. The system of claim 10, wherein the program code comprises one of executable code or bytecode.
 19. A computer program product for maintaining code integrity in a central software development system, comprising: computer readable program code for converting modified free source code received by the system to program code; and computer readable program code for selectively signing the program code using an encryption key associated with one or more devices for which the program code is designed.
 20. The computer program product of claim 19, further comprising computer readable program code for verifying the modified free source code before the program code is signed.
 21. The computer program product of claim 20, wherein the computer readable program code for verifying the modified free source code comprises computer readable program code for scanning at least one of the modified free source code or intermediate code generated by the system for impermissible code patterns.
 22. The computer program product of claim 21, further comprising computer readable program code for taking action against an entity that provided the modified free source code to the system responsive to one or more of the impermissible code patterns being detected.
 23. The computer program product of claim 19, wherein the computer readable program code for selectively signing the program code using the encryption key comprises computer readable program code for selectively calculating a hash value based on the program code and encrypting the hash value using the encryption key. 